In words: I create a directory foo, with mode 0750, root as owner and testuser as the group. (testuser is the private group of testuser, but that doesn't matter.)

The getfacl command correctly shows no ACL's on this directory and there is not mask yet. The mask will be set accordingly to the group permissions if I would add a named group or user now.

If I explicitly set the mask to rwx now, the group permissions as shown by ls change too. I know it happens the other way around (the mask changes when the group permissions change), but this seems puzzling.

The more puzzling because the getfacl output does not show the group permissions as rwx but - as said - ls does.

Which one is right? Apparently, the output of getfacl is right, because testuser cannot write to foo. As expected, by the way, because I did not grant the testuser group any permissions to do so.

It goes on. I cannot allow the testuser group write permissions on foo by just using chmod. I have to explicitly set an ACL using setfacl -m g:testuser:rwx foo to allow testuser to finally touch foo/bar.

Can someone explain the rationale behind the difference in the outputs of getfacl and ls? I know it can be tricky to have normal permissions go together with ACL's, but this seems plain wrong. (Though I expect to be missing something glaringly obvious ;))

I just verified that this behaviour happens on FreeBSD9, Debian, RHEL5 and RHEL6. So it's either a bug that has spread itself very broadly, or it's not a bug at all. In that case, someone explain this to me :)
–
wzzrdFeb 10 '12 at 14:22

1 Answer
1

ACL_MASK The ACL_MASK entry denotes the maximum access
rights that can be granted by entries of type
ACL_USER, ACL_GROUP_OBJ, or ACL_GROUP.

and later:

else if the effective group ID or any of the supplementary group IDs
of the process match the file group or the qualifier of any entry of
type ACL_GROUP, then

if the ACL contains an ACL_MASK entry, then
if the ACL_MASK entry and any of the matching ACL_GROUP_OBJ
or ACL_GROUP entries contain the requested permissions,
access is granted,
else access is denied.

This means that rwx CAN be granted on the dir, but the chmod bits have to agree with it.

Yeah, close. This states that the mask and the group have to agree on giving write access, which is logical. But it does not explain why 'ls' shows a file as writable by a group when it clearly is not.
–
wzzrdFeb 10 '12 at 14:21

2

Yes, sorry. Here again from the acl(5): If the ACL has an ACL_MASK entry, the group permissions correspond to the permissions of the ACL_MASK entry. I think that should answer the question.
–
AndreasMFeb 10 '12 at 15:14

Well, how about that. I completely missed that :) Thanks for taking the time to read that manpage more thoroughly than I did ;)
–
wzzrdFeb 10 '12 at 15:28